HYPERELLIPTIC CURVES FOR PUBLIC KEY 

CRYPTOSYSTEMS 


by 

Nitu Jain 



Tfll DEPARTMENT OF ELECTRICAL ENGINEERING 

aup INDIAN INSTITUTE OF TECHNOLOGY KANPUR 

JANUARY 1997 



HYPERELLIPTIC CURVES FOR PUBLIC KEY 
CRYPTOSYSTEMS 


A Thesis Submitted 

in Partial Fulfilment of the Requirements 
for the Degree of 

Master of Technology 


by 

Nitu Jain 


to the 

Department of Electrical Engineering 

Indian Institute of Technology, Kanpur 

Jan 1997 



f ? Ma,'. .^9ST 




LiBRAHlt 

• I. T,. KANPUK 


4«jb.At23209i] 





Certificate 


Certified that the work contained in the thesis entitled “Hyper- 
elliptic Curves for Public Key Cryptosystems” ^ by Ms. Nitu 
Js:in, has been carried out under my supervision and that this 
work has not been submitted elsewhere for a degree. 







(Dr. M. U. Siddiqi) 

Professor, 

Department of Electrical Engineering, 
Indian Institute of Technology, 
Kanpur. 


Jan 1997 



Abstract 


Security of some of the existing public key cr}^ptosystems has been seriously 
threatened by the recent advances in computing discrete logarithms and integer 
factorization. In this thesis, we present the issues related to the implementation of a 
hyperelliptic cryptosystem. The discrete logarithm problem so far for these systems 
is intractable. The Jacobian of a hyperelliptic curve defined over a finite field forms 
an abelian group. For a secure cryptosystem, the group order should have a large 
prime factor. We have selected certain curves and tabulated the order of their 
Jacobian for varying n, when the ground field has characteristic two. An efficient 
algorithm for computing the multiple of a group element has been presented. Its 
effectiveness has been shown by tabulating the timing details.The concept of normal 
basis representation is introduced for enhancing the efficiency. Diffie Heilman key 
exchange and ElGamal scheme has been described with reference to hyperelliptic 
curves. Attempt has been made to design a hyperelliptic curve analog of ElGamal 
scheme, for the case of genus two. 



Acknowledgements 


I express my sincere and heartfelt gratitude to my thesis supervisor, 

Dr. M.U. Siddiqi- His esteemed guidance helped me to sail through the toughest of 
times. Words are not enough to express my thanks for his tolerance and cooperation 
during the final stages. 

I take this oppurtunity to thank my labmates and friends for their invaluable 
support and cooperation in the work. 

I dedicate this work to my family, the heavens of all places, without which I 
would never have been able to accomplish this task. 



Contents 


1 INTRODUCTION 5 

1.1 Overview of cryptography 5 

1.1.1 Private key cryptography 6 

1.1.2 Diffie- Heilman Key Exchange 8 

1.1.3 Public Key Cryptography 9 

1.1.4 Digital signatures 10 

1.1.5 RSA Cryptosystem 11 

1.1.6 ElGamal Cryptosystem 12 

1.2 Purpose of the present work 13 

1.3 Organization of thesis 14 

2 FEW PRELIMINARIES 12 

2.1 Homogeneous Polynomials and Projective Spaces 12 

2.2 Plane Algebraic Curves 13 

2.3 Singularities of a curve 15 

2.4 Birational Geometry 15 

2.5 The Genus of a curve 18 

2.6 Divisor Theory 19 

3 Hyperelliptic cryptosystems 29 

3.1 Introduction 29 

3.2 Hyperelliptic curves and the Jacobian 30 

3.2.1 Group Law 31 

3.3 Security aspects of hyperelliptic curves 35 


1 



3.4 Order of Jacobian 37 

3.5 Cryptosystems 39 

3.5.1 Diffie-Hellman Scheme 39 

3.5.2 ElGamal Scheme 40 

3.6 Implementations over iTj'* 42 

3.6.1 Normal basis representation 42 

4 Results and Conclusion 45 

4.1 Introduction 45 

4.2 Implementation 48 

4.2.1 Construction of irreducible Z(T) 48 

4.2.2 Utilizing Koblitz’s algorithm for computing mD 49 

4.2.3 Computing the order of the Jacobian 52 

4.2.4 Implementation of ElCamal scheme 56 

4.3 Conclusion 60 


2 



List of Figures 

1.1 A cryptographic system 5 

1.2 Secrecy 7 

1.3 Authencity 7 

2.1 Elliptic curve in case of three real roots 18 

2.2 Parametrizing a singular cubic 21 



List of Tables 


4.1 Genus two curves over F 2 with irreducible Z(T) 

4.2 Genus one curves over F 2 with irreducible Z(T) 49 

4.3 Expressions for computing mD in case of genus two 50 

4.4 Expressions for computing mD in case of genus one 50 

4.5 Average time for computation of mD on the stated curve 51 

4.6 Almost prime values of #J(F 2 n) for C given hy + v = . . 52 

4.7 Almost prime values of #J(F 2 n) for C given by + uv = + 1 . . 53 

4.8 Almost prime values of #J(F 2 n) for G given by + uv = 1 53 

4.9 #J (F 2 n) for C given by v = + 1 54 

4.10 #J(F 2 n) for G given by -bv = + u 54 

4.11 #J(F 2 n) for C given by v = -b u -b 1 55 

4.12 #J(F 2 n) for G given by -b uv = -b 1 55 



Chapter 1 


INTRODUCTION 


1.1 Overview of cryptography 

The fundamental goal of cryptography [6, 17] has historically been to acheive 
privacy, i.e., to enable two people, A and B, to send each other messages over an 
insecure channel in such a way that only the intended recipient can read the message 

A cipher is a secret method of writing whereby plaintext is transformed into ci 
phertext. The process of transforming plaintext into ciphertext is called encryption 
while the reverse is called decryption. 

Cryptanalysis is the science and study of methods of breaking ciphers The 
branch of knowledge embodying both cryptography and cryptanalysis is called cryp- 
tology. 



plaintext 


ciphertext 


plaintext 


Figure 1.1: A cryptographic system 


5 





We begin with an introduction to private and public key cryptography. 


1.1.1 Private key cryptography 

A cryptographic system has five components: 

• A plaintext message space, M. 

• A ciphertext message space, C. 

• A key space, k. 

• A family of enciphering transformations, Ek '■ M -i- C where k G AT . 

• A family of deciphering transformations, Dk : C M where k E K . 


In a private key cryptosystem, A and B, initially agree upon a secret key, k G 
K. For a given k, Dk is the inverse of Ek, 
i.e., 

Dk{Ek{M))^M 

for every plaintext message M. 

There are specific requirements for secrecy and authencity in a cryptographic 
system. Secrecy requires that a cryptanalyst not be able to determine plaintext 
data from intercepted ciphertext. 

Data authencity requires that a cryptanalyst not be able to substitute false 
ciphertext C’ for a ciphertext without detection. 

Cryptosystems must satisfy three general requirements: 

• The enciphering and deciphering transformations must be efficient for all keys. 

• The system must be easy to use. 


• The security of the sysyem should depend only on the secrecy of the keys and 
not on the secrecy of the enciphering and deciphering algorithms, i.e., knowing 
Ek or Dk need not reveal k. 


6 










The most widely used private key cryptosystem today is Data Encryption Stan- 
dard (DES). It was developed by IBM and subsequently adopted as U.S. standard in 
1977 by National Bureau of Standards for the protection of unclassified data. Keys 
in DES are only 56 bits in length. 

Although private key cryptography is adequate for many applications, it has the 
following disadvantages: 

• Key distribution problem: The two users have to select a key in secret before 
they can commence communication over an insecure channel. A secret channel 
for selecting a key may not be available. 

• Key management problem: In a network of ’n’ users, every pair of users must 
share a secret key ,for a total of n(n-l)/2 keys.If ’n’ is large then the number 

• of keys becomes unmanageable. 

• No signatures possible: A digital signature allows the receiver of a message to 
convince any third party that the message infact originated from the sender. In 
a private key cryptosystem, A and B, have the same capabilities for encryption 
and decryption and thus B cannot convince a third party that message he 
received from A infact originated from A. 

Diffie and Heilman invented Public key cryptography (PKC) in 1976 to address 
these deficiencies [7]. 

1.1.2 DifRe-Hellman Key Exchange 

In [7] Diffie and Heilman described the protocol known asDiffie-Hellman key ex- 
change in terms of an arbitrary group. 

• (setup) A and B publicly select a finite group G and an element ct e G. 

• A generates a random integer a , computes a“ in G and transmits o:“ to B 
over a public communications channel. 


8 



• B generates a random integer b , computes in G and transmits to A over 
the same channel. 


• A receives a^’ and computes (a*)®. 

• B receives and computes 

A and B now share the common group element Note that an eavesdropper 
C knows G, a, a“, and a^, and his task is to use this information to reconstruct 
a“*. This problem is commonly called DifRe-Hellmcin problem. 

The problem of computing a , given G, a and a“ is called the discrete loga- 
rithm problem. The security of the Diffie-Hellman key exchange is based on the 
intractibility of the discrete logarithm problem. 

1.1.3 Public Key Cryptography 

The requirements of a public key system diifer strikingly from those of conventional 
cryptographic systems. What Difiie and Heilman proposed is to use an encryption 
algorithm, E, and a decryption algorithm, D, with B and D chosen so that deriving 
D even given a complete description of E would be effectively impossible. 

Now we establish a secure channel between A and B who never had any previous 
contact. Each user A has a public enciphering transformation Ea described by a 
public key, which may be registered with a public directory , and a private deci- 
phering tranformation Da described by a private key which is known only to that 
user. 

Here secrecy and authencity are provided by the separate transformations. Sup- 
pose user A wishes to send a message M to another user B. If A knows B’s public 
transformation Eb, A can transmit M to B in secrecy by sending the ciphertext 
C = Eb{M). On receipt, B deciphers C using B’s private transformation Db, 
getting 

Db{C) = Db{Eb{M) 

= M. 


9 



To acheive both secrecy and authencity, the sender and receiver must each apply 
two sets of transformations. First A’s private transformation is applied. Then A 
enciphers the result using B’s public enciphering transformation Eb, and transmits 
the doubly transformed message 

C = £b(£>^(M)) 

to B. 

B recovers M by first applying B’s own private deciphering transformation Db, 
and then applying A’s public transformation Ea to validate its authencity, 
getting 

Ea{Db{C)) =Ea{Db{Eb{Da{M)))) 

= Ea{Da{M)) 

To use a public-key system, the ciphertext space C must be equivalent to the 
plaintext space M so that any pair of transformations Ea and Da can operate on 
both plaintext and ciphertext messages. Furthermore, both Ea and Da must be 
mutual inverses so that 

Ea{Da{M)) =Da{Ea{M)) 

= M 

Observe the following ; 

• there is no longer the need to exchange keys in secret prior to communicating. 

• there is only one key pair associated with each user. 

Public key cryptosystems' thus overcome the key distribution and key management 
problems inherent in private key systems. 

1.1.4 Digital signatures 

A digital signature [22] is a property private to a user or a process that is used 
for signing messages. Let B be the recipient of a message M signed by A. Then A’s 
signature must be able to satisfy these requirements. 


10 



• B must be able to validate As siguature on M. 

• It must be impossible for anyone, including B, to forge A’s signature. 

• In case A should deny signing a message M, it must be possible for a judge or 
a third party to resolve a dispute arising between A and B. 

A digital signature, therefore establishes sender’s authencity; it is analogous to or- 
dinary written signature. 

Public-key authentication systems provide a simple scheme for implementing digital 
signatures. 

1.1.5 RSA Cryptosystem 

The RSA cr^-ptosystem was invented in 1977 by Rivest, Shamir and Adleman and 
was the first realization of Diffie and Heilman’s abstract model for PKC. The enci- 
phering and deciphering tranformations are based on Euler’s generalisation of Fer- 
mat’s theorem. Let us look into some definitions before discussing the RSA scheme. 
Definition 1 Given an integer n, 4)(n) is the number of elements in the reduced set 
of residues modulo n, i.e., (j)(n) is the number of positive integers less than n that 
are relatively prime to n. 

In general, for an arbitrary n, d>(n) is given by 

t=i 

where 




Fermat’s Little Theorem 1 Let n be a prime. Then for every a such that 
gcd(a.n) = 1, 

a-n-i ^ ^ (mod n) 

Euler provided a generalised version of the above theorem as follows. 
Euler’s generalisation 1 For every a and n such that gcd(a,n) = 1, 


11 



a<i>{n) = 2 (mod n) 

To set up a RSA system, each user A picks two large primes p and q and computes 
their product 


n~pq 

The group used is G ■= Z*, the multiplicative group of units in the integers modulo 
n. It is well known that the order of G is 

(j){n) = (p-l)(g-l) 

where 0 denotes the Euler phi function. The primes p and q are very large. Although 
n is public, the factors p and q are kept secret. The decryption key, integer d, is 
chosen to be a large random integer which is relatively prime to 0(n). 

gcd(d,d>(n)) = 1 

The encryption key, integer e, is the multiplicative inverse of d, modulo 0(n). 

ed= 1 mod (p(n) 

The message is represented as an integer between 0 and n-1. The message is en- 
crypted by raising it to the power modulo n. To decrypt, the ciphertext is raised 
to another power d modulo n. 

C = E{M) = (mod n), for a message M. 

M = D(C) = (mod n), for a ciphertext C. 

Since d>(n) cannot be determined without knowing the prime factors p and g, it 
is possible to keep d secret even if e and n are made public. Thus, the security of 
RSA scheme depends upon the difficulty of factoring n into p and q. 

1.1.6 ElGamal Cryptosystem 

Let G be a finite group of order n and assume that the discrete logarithm problem 
in G is intractable. In 1985, T. ElGamal proposed the following public key scheme 
based on discrete exponentiation. 


12 



• (setup) A finite group G and element a e G are chosen. Each user picks a 
random integer I (the private key) and makes public a’’ (the public key). We 
suppose that messages are elements of G and that user A wishes to send a 
message M to user B. 

• A generates a random integer k and computes a* 

• A looks up B’s public key a'’ and computes (a'’)* and Ma*’*. 

• A sends to B the pair of group elements (a*", Mo;^*"). 

• B computes (ct*)* and uses this to recover M. 

The security of the Elgamal Cryptosystem is based on the difficulty of the discrete 
logarithm problem. 

1.2 Purpose of the present work 

In a finite abelian group if an element is obtained as a multiple of another known 
element (the "base”), the discrete logarithm problem consists in finding the integer 
that is multiplied by the base to get the element. Whenever we have a finite abelian 
group for which the discrete logarithm problem appears to be intractable, we can 
construct various public key cryptosystems in which taking large multiples of a group 
element is the trapdoor function. Such cryptosystems were first constructed from 
the multiplicative group of a finite field. However, because certain special techniques 
are available for attacking the discrete logarithm problem in that case (especially 
when the field has characteristic two, see [18] ), it is worthwhile to study other 
sources of finite abelian groups. 

It has already been described in [11] how the group of points on an elliptic 
curve can be used to construct public key cryptosystems. The purpose of the present 
work is to discuss a more general class of groups obtained from the jacobians 
of hyperelliptic curves [3, 12]. These Jacobian varieties seem to be a rich source of 


13 



finite abelian groups for which so far as is known ,the discrete logarithm problem is 
intractable. 

Hyperelliptic cryptosystems potentially provide equivalent security as the exist- 
ing public key schemes, but with shorter key lengths. Having short key lengths 
means smaller bandwidth and memory requirements and can be a crucial factor in 
some applications, for example the design of smart card systems. 

Another advantage to be gained is that each user may select a different curve 
C, even though all users use the same underlying field K. Consequently, all users 
require the same hardware for performing the field arithmetic, and the curve C can 
be changed periodically for extra security. 

We pay special attention to the case when the ground field has characteristic 
two, because arithmetic over such fields is particularly amenable to efficient imple- 
mentation and because it is in that case that the multiplicative group of the field 
does not provide secure cryptosystems unless the size of the field is extremely large. 

1.3 Organization of thesis 

The thesis is organized as follows: 

• Chapter 2 introduces the preliminary aspects of algebraic geometry which 
are required in the work. Acquaintance is made with the notion of rational 
functions and divisors. 

• Chapter 3 introduces the hyperelliptic curves and the cryptosystems. The 
problem of determining the number of Fgn points on the Jacobian for varying n 
is discussed. The concept of normal basis is introduced. We describe how such 
public key cryptosystems as the Diffie-Hellman key exchange and ElGamal 
scheme can be carried over to these jacobians. 

• Chapter 4 gives a detailed account of various implementations done as part of 
this thesis. Certain curves have been found which give a large prime factor in 


14 



the order of their Jacobian. Diffie-Hellman key exchange and ElGamal scheme 
is carried over these curves. Results have been tabulated wherever required. 


15 



Chapter 2 


FEW PRELIMINARIES 


This chapter contains certain aspects of algebraic geometry that we need in our 
work. 


2.1 Homogeneous Polynomials and Projective Space 

Suppose f{xj, ...,Xn) in Q[xi,...,Xn], {Q denotes the rational numbers), is a homo- 
geneous polynomial of degree m, i.e., 

f(tXi,...,tXr,) = t”^f{xi,...,x„). 

A point (cj, a„) of C" satisfies 

/(a:i,...,Xn) = 0 (2.1) 

if and only if (taj,..., tan) does, for all t in C. Of course, 0=(0,...,0) always satisfies 
(2.1) and is called its trivial solution. This leads to the concept of a projective space, 
see[.l, 4, 9]. 

For any field K, let 

K = ■( (x^ , . . . , Xn ) I Xj G K ,j = 1 , . . . , n )■ 
be the vector space of n-tuples of elements of K. On the set 

- {0} = {x e I X ^ 0} 


16 



define an equivalence relation by x~y if and only if y = fee for some tin K*, (K* is 
the group of units of a ring K) . Then the set 

P^{K) = - { 0 }} 

of equivalence classes is called the projective space over K, i.e., P'^{K) consists of all 
nonzero vectors in with two vectors x, y not considered different if y = fee 

with i in K*. We can also think of P'^{K) as consisting of lines through the origin 0 
of The affine space A^(K) = may be regarded as a subset of P" = (K) 

by the inclusion map 

A^{K) ^ {xu....Xn) G P^{K). 


2.2 Plane Algebraic Curves 

A curve C defined over Q is the set of solutions of a polynomial equation 

f{x,y) = 0 (2.2) 

with f(x,y) G Q[x,y]. Suppose that 

r 

/(2;, y) = n 

j=l 

is the factorization of f(x,y) into irreducible factors. Then the curves Cj defined by 

Pj{x,y) =0, j = 

are all irreducible. The curve Cis the union of Ci , ..., Cr, called the (irreducible) componem 
of C, see [1, 4]. 

A projective curve over Q is the set of solutions of a homogeneous equation 

F(W,y,Z) = 0 (2.3) 

with F(X, Y,Z) in Q[X, T, Z]. 

One can homogenize (2.2) to get an equation like (2.3) by putting x = X/Z,y = 

Y/Z and then multiplying throughout by ]\'o\v that we have obtained (2.3) 


17 




Figure 2.1: Elliptic curve in case of three real roots 

from (2.2) in this manner, we say that (2.3) is a projective modeliox the affine curve 
C defined by (2.2). The solutions of (2.2) are precisely those solutions of (2.3) for 
which Z 7 ^ 0, because ('a, is a point on (2.2) if and only if Co, 6,1) is a point on (2.3). 

A point(a, b,c) on (2.3) with c = 0 is called a ipoint at infinity on C. The line 
at infinity is the set of all points (X, Y,Z) in P'^{C) for which Z = 

The points on (2.2) are called the affine part of the projective curve(2.3). A 
projective curve is complete in the sense that it has the points at infinity that are 
missing from its affine part. 

We illustrate the concept through an example: 

An elliptic curve E, Fig 2.1, defined over a subfield koi C and written as E/k is 
a projective curve given by 

+ AXZ^ + BZ^{A, Bek), 

where the quantity A = -4A^ — 27B^, called the discriminant of E, is nonzero. 

There is only one point at infinity on the above projective curve. It is given hyZ 
= 0 and is (9 = (0,1,0). It is regarded as a rational point and we may think of E as 
the affine curve 

+ Ax 4" B, 

together with the point 0 = (0,1,0) at infinity. 

IR 


2.3 Singularities of a curve 


Let Cbe a projective curve defined by(2.3). We say that Cis of order n if deg(i^ = 
n. We call C linear, quadratic, cubic, quartic or quintic according as n = 1, 2, 3, 4, or 
5. A point P on (2.3) is a multiple point of multiplicity r > 1 or an r-fold point if all 
the partial derivatives of F(X, Y,Z) of order < r vanish at P, but there is a partial 
derivative of order r that does not vanish at P. 

If r^l, Pis called a regular ov a nonsingularpoint. (For a pointP, not at infinity, 
to be a regular point is equivalent to at least one of dy/dx, dx/dy being well defined, 
i.e.,- to the curve having a unique tangent at P.) If r > 1, P is called a singular point 
or a singularity of C. We say that P is a double or a triple point according as r 
= 2 or 3. A curve is singular if it has a singularity, otherwise it is nonsingular or 
smoothi. 

Example : Let C be the affine curve defined by y^ = x^. To homogenize this 
equation, we put x = X/Z, y = Y/Z and obtain 


F(X,Y,Z) = Y^Z - = 0. 

The singularities of C must satisfy 

dF/dX = -3X2 ^ 0, 
dP/dY = 2YZ = 0, 
dP/dZ = Y^ = 0, 

which are therefore of the form(0,0,.2) with Zj^O. Thus (0,0,1) is the only singularity 
of C. In fact, it is a double point, because 

d^F/dY^ 1 ( 0 , 0 , 1 )# 0 . 


2.4 Birational Geometry 

Suppose X is a field and C is an irreducible cun^e given by a polynomial equation 


19 



f(x,y) = 0 


with coefficients in K. If L is another field with K CL, a point P = (x,y) on C is 
called an L-rational point if x, y € L. 

Our goal is to study the rational points on curves defined over Q, which we 
may assume to be irreducible over Q. The problem gets more complicated as the 
degree (or rather the genus, a term to be explained later, ) of the curve increases. 
We start with the simplest curves. Unless stated otherwise, we shall assume that K 
= L = Q. Consider the field of rational functions 
Q{Xi,...,Xn) 

= 4){Xu-,Xn) = l/,5 e Z[xu...,Xn],g¥=0. 

It is the quotient field of the ring of polynomials Q[xi, ...,x„y. If (j) = f/g € Q{ 
Xi,...,Xn) and P = (ai,...,a„) is a rational point, i.e., if all a,- G Q, then 4>(P) € Q 
[provided g(P) 0]. 

Def. An irreducible curve C defined by f(x,y) = 0 is called a rational curve if there 
are rational functions 0i(i), in Q{t), such that 

• for almost all t, f{((>i(t) , (l> 2 {t)) = 0; and 

• for almost all P on C, P = (4>i(t), (l) 2 {t)). 

We say that C is parametrized by t. 

ExampletFor the cubic. Fig 2.2, 

y^ — X^{X 1) 

X = (flit) ■= t^ — 1 , 
y = (f^it) = tit^ - 1). 

Almost all the rational points on these curves are obtained by taking t from Q. 
Let Cl , C 2 be two'curves such that the coordinates of almost all points on Cz 
are rational functions of the coordinates of points on Ci and vice versa. This means 
that there are rational functions 


20 




Figure 2.2: Parametrizing a singular cubic 
€ Q{^,y), j == i,s 

such that 

• for almost all P on gi{P) 92 {P) 0; and 

. the set {<P{P) = {ct>i{P\<Ps{P)) \ P e Cu9i{P)92{P) 7 ^ 0 } 
accounts for almost all points on 

A similar statement holds in the other direction. Two such curves Ci and Cz are 
called birationally equivalent . If C} and Cs are birationally equivalent, then almost 
all points on one curve are obtained from those on the other by the rational maps : 

4 > ; C\ — >■ C 2 (2-4) 


gi\^en by 


and 


xj) : C 2 — ^ C\ 

tiQ) = (‘il>i(Q),<p2(Q))- 


( 2 . 6 ) 


21 



If ibcj) : Cj Cl and 4>'ip : ^ C 2 are the identity functions, then (2.4) and (2.5) 

describe a birational correspondence between Ci and C^. 

Example:Let Ci be the Fermat cur\^e given by 

= 1 . 

If we make the rational substitution 


■H- 




36 ^, 


we get the curve C 2 with equation 


= - 432 


Remark Birational equivalence between curves is an equivalence relation. If Ci, C 2 
are birationaHy equivalent, then Ci has infinitely many rational points on it if and 
only if C 2 does. 


2.5 The Genus of a curve 

As expected, the curves get more complicated to study as their degree increases. 
But it is really the genus, [4, 9], that tells how complicated a curve is at least as far 
as the study of its rational solutions is concerned. 

TheoremrAet Ci be an irreducible curve of order n with m double points as its only 
singularities. Then 

g = s(Ci) = - m 

is a non-negative integer. 

Theorem: Xet C be an irreducible curve that is birationaHy equivalent to two curves 
Cl and C 2 each with double points as its only singularities. Then g(Ci) = giCf). 


22 



The common value g{C) = g{Ci) = giCs) is called the genus of the (irreducible) 
curve C. Note that ^ is a non-negative integer. \ 

The genus of a curve is invariant under birational equivalence. 

ExampleiLet L be a line. We have n = 1 and m = 0. Therefore, 

g{L) = 0. 

The elliptic curve defined earlier has genus one. 

Any curve of genus larger than one has only finitely many ration..J points. A curve 
of genus one may or may not have infinitely many rational soluLv^ns and it is still 
an open question how to decide whether or not such a curve has only finitely many 
solutions. 


2.6 Divisor Theory 

Divisors, [1, 17, 25, 26] are useful devices for keeping track of the zeros and poles of 
a rational function. 

Let W be a smooth projective curve over K. A divisor D on W is a finite formal sum 

D = T:ap.P,P eX,ap€ Z. 

The support of a divisor D, denoted supp(D), is the set of points {P e X \ ap ^ 0}. 

The set of all divisors, denoted by D, forms a group, '''here the addition is given 
by 

I2p€X op(P) + ^p{P) — I^Pex(^P + ^p){P)' 

D is the free abelian group generated by the points of X. 

The degree of a divisor D = J2o,p{P) is the integer deg(I?) = “p- The degree 

map D — f Z is surjective, its kernel is denoted by D°. Therefore is the set of 
all divisors of degree 0 and it is a subgroup of D. 

If ap >0 for any P then we call D = '£, ap{P) an effective divisor and write 
D >0. If, moreover we call it positive. The set of eff'ective divisors is denoted 
by D+. 


23 



Given two divisors Dj =Y^ rriiPt and D 2 = Y1 n-iPt we define gcd (D; , D^) 

to be {Y^min(mt, n,)P,)°. 

If P is a smooth, irreducible affine curve defined by 

r{x, y) =0, 

where r € K[x,y], then the coordinate ring of over K, denoted K[E\ is the integral 
domain 

m = K[x,y]/{r), 

where (r) denotes the ideal in K[x,y] generated by r. Similarly, we define 

K[E] = K[x,y]/{r). 

Observe that for each I E K[E] we can repeatedly replace any occurrence of y^ by 
y^ — r{x,y) to finally obtain a representation 

l(x,y) = v(x)+yw(x), where v{x), w{x) G K[x]. 

The function field K(E) of E over K is the field of fractions of K[E\. (We know that 
if / is an integral domain then its field of fractions F is the set of equivalence classes 
of quotients a/6, a, 6 G /, 6 t^O, where we identify ai/bi, a 2 /b 2 G F if a^t^ = a^tj. 
Addition and multiplication in F are defined in the natural way.) Similarly, K{E), 
the function field of E over K, is the field of fractions of K[E]. The elements of 
K{E) are called rational functions. 

Let / G K{E)* be a non-zero rational function and F G F | {0}. Then / is said 
to be defined at P if there exists a representation / = g/h, g,h E K[E], with h(P) 
^ 0, If / is defined at F, we put f(P) = g(P)/h(P). It is easy to see that it is 
well-defined, i.e., the value f(P) does not depend on the choice of g and h. If f(P) = 
0, then / is said to have a zero at F. If /is not defined at F then / is said to have a 
pole at F, in which case we write f(P) = 00 . 

ExamplerConsider the elliptic curve E: y^ = x^ — x over a finite field K = Eg, with 
char(F) 7 ^ 2, 3. Let F = (1,0)G F, and let f = (x^ - x)/y G F(F). 


24 



Note that if / is considered as a quotient of polynomials, i.e., / e K{x,y), then 
/is undefined at P. However, as an element of K{E), 

j. — X [x^ — x)y {x"^ — x)y y 

y x^ — X X + 1 ’ 

whence f(P) = 0. 

In defining the value of / at the point O the following approach is taken. 

For / € K[E] we can write l(x,y) = v(x)+yw(x), where v(x), w(x)e K[x]. Assign a 
weight of 2 to X and a weight of (2-^?+l)to y. We define the Degree of I by 

Deg/^j = max(2de5x(t;), 2.genus+l+2de^i(u;)). 

Now, let / = g/h, where g,h e K[x, y]/ (r). 

• If Deg(^)<Deg(/i), then /(O) = 0. 

• If Deg(^)>Deg(/i), then /(O) = oo. 

• If Deg{g) = Deg(/i), then if the highest degree terms in g and h are ax‘^ and 
bx‘^ respectively then f(0) = a/b. Otherwise the highest degree terms are cyx'^ 
and dyx‘^, in which case f{0) = c/d. 

ExamplerConsider the elliptic curve E: y^ = x^ + ax + b. Let/ = y, g = x/y, 
h = (x^ — xy)/{l + xy) E K{E). Then /(O) = oo,5'(O)=0, and h{0) = —1. 

For each point P E E there exists a rational function u E K{E), u{P) =0, such 
that if / G K{E)* then we can write / = u'^s, where s E K{E), s{P) ^^0, oo. The 
integer d does not depend on the choice of u. The function u is called a uniformizing 
parameter for P. The next theorem[9] aids in finding the uniformizing parameters. 
TheoremiTet P E E. If 1: ax+by+c=0 is any line through P that is not the tangent 
line to E at P, then I is a uniformizing parameter for P. 

ExamplerConsider the elliptic curve E:y^ = x^ + ax + b over a finite field K = Fq, 
char(iv)7^2,3. 

• Let P — {c,d) not a member of E[2]. The tangent line to E at P is 


25 



{—3c^ — a){x — c) + 2d{y — d) — 0, 


Since c? 7^ 0, a uniformizing parameter for P is u = x-c. 

• Let P = (c,0)eE be a point of order 2. The tangent line to E at P is 

(— 5 c^ — a){x — c) = 0. 

Therefore u = y is a. uniformizing parameter for P. 

• To find a uniformizing parameter for 0 we need to work with a different set of 

coordinates. Recall that the homogeneous equation for Pis Y^Z = -\- aXZ^ + hZ 

Choosing the affine coordinates v = X/Y,w = Z/Y, the equation for E is trans- 
formed to f{v, w) = + avvj^ -\- bw^ — w = 0. Note that O = (0,0) in {v,w) 

coordinates. Now, 


and 



£(0) = -1. 

• so the equation of the tangent line to P at O is w = 0. The line t; = 0 passes 
through O and is not the tangent line at O. Reverting back to the original 
{x,y) coordinates, u = x/y is a uniformizing parameter for O. 

Let f €. K (P), P £ E. Write / = u^s, where u is any uniformizing parameter for 
P, s G K (P), and s(P)j^ 0, 00. 

The order of f at P is defined to be d, and we write ordp{f) = d. The point P is a 
zero of / if and only if or dp > 0 , in which case its multiplicity is defined to be 
ordp{f). 


Similarly, the point is a pole of / if and only if ordp{f) < 0, in wffiich case its 
multiplicity is defined to be — or <i/>(/). Since a function / has only a finite number 
of zeros and poles on P, we can define div(/), the divisor of / , as 


26 



div(y) =SpE£Ordp(/)(/>). 

A fundamental fact about rational functions is that if / € K{E)*, then div(/)€ 
Moreover, div(/) = 0 if and only li f . 

Example; Consider the elliptic curve E: + ax + b over a finite field 

K = Eg, char(A)# 2, 3 . 

• Let P = (c,d),{ Pis not a member of E[2]). Then 

div(2: — c) = (P) + (-P) - 2 { 0 ). 

• Let P; , Ps, P3, G E be points of order 2. Then 

div(y) = (P;) + (P2) + (Ps) — 3 ( 0 ). 

• Assume that b 7^0, and let P^ = (0, Vb), P5 = (0, —Vb). Then 

ciiv(f) = (P,) + (P5) + ( 0 ) - (P:) - (P,) - (Ps). 

A divisor D £ is principal if D = div(/) for some / € K(E)*. The following 
is a useful characterization of principal divisors. 

TheoremiPef D = l^np(P) be a divisor. Then D is principal if and only ifjfnp 
= 0 and J2np(P) = 0. 

Let Di denote the set of principal divisors. If //,/2 G K(E), then div(/j/2) = 
div(/j)+div(/2); 

it follows that Di forms a subgroup of The quotient group D° /Di is called 
the Jacobian 3 of the curve E. 

Two divisors Dj:,D2 G are said to be equivalent, denoted Dj ~ Pg, if Dj — D2 G Di, 
i.e., if Pj = D2+div(f) for some / G K(E). 

Assume we are given a divisor P G D. We form the set 

L{D) = / G K(E) 1 (/) + P 0 U 0 . 


27 



If D = J2t=i ~ ^;Q 7 ) where m,,n^ >0, then L{D) consists of 0 and all 

functions in K{E), that have zeros of order at least n, at Qj,l < j < t, poles of 
order at most m,- at P,, 1 < f < s, and no other poles. L{D) is a vector space over 
A:, [26]. Let the dimenszon of L{D) over k be denoted by 1{D). 

Lemma: 

1 L{D) = 0 zydeg(P)<0. 

2 L(0) = k. 

3 L{D)is a finite dimensional vector space over k. If deg(D)>0 then l(D)<l+deg(D). 

Now, having being acquainted with the notion of divisors, we introduce the concept 
of hyperelliptic curves in the next chapter. 


28 



Chapter 3 


Hyperelliptic cryptosystems 


3.1 Introduction 

The Jacobian of a hyperelliptic curve C defined over a field K forms an abelian 
group. These Jacobian varieties provide a rich class of abelian groups making them 
attractive for cryptographic implementations. In 1989, Koblitz [12] proposed a vari- 
ant of discrete log cryptography based on the hyperelliptic discrete log problem 
(HDLP). The security of the proposed public key cryptosystems is based on the 
HDLP. These cryptosystems have two potential advantages over systems based on 
the. multiplicative group of a finite field. 

• the great diversity of curves available to provide the groups;and 

• the absence of subexponential time algorithms (such as those of index calculus 
type) that could find discrete logs in these groups. 

Hyperelliptic curve cryptosystems potentially provide equivalent security as the ex- 
isting public key schemes, but with shorter key lengths. Having short key lengths 
means smaller bandwidth and memory requirements. 


29 



3.2 Hyperelliptic curves and the Jacobian 


Let K be an arbitrary field, and let K denote its algebraic closure. We define a 
hyperelliptic curve C of genus g over K to be an equation of the form 

+ h{u)v = f(u), (3.1) 

where h(u) is a polynomial of degree at most g and f(u) is a monic polynomial of 
degree 2g+l. 

Here / and h have coefficients in K, and we require that the curve has no singular 
pomts(u,v), i.e., there be no values u,v el( which satisfy (3.1) and also both of the 
partial derivative equations 

2v + h{u) = 0 

and 

h'{u)v — f'{u) = 0. 

Let L be afield containing K. By an L-pomt P € Cwe mean either the symbol co 
or else a solution u = x e L, v = y £ L of (3.1). The latter is called a ’’finite point” 
and is denoted by Px,y If o' is an automorphism of L over K, we let P°' denote 

Pcr(x),a(y) ^nd Set OO^ = OO. 

We shall denote the group of principal divisors as P. If the divisors of degree 0 are 
represented as D°, then the Jacobian J of C is defined to be the quotient group 
J = D°/P. 

If P={x,y) is a point on the curve C, then so is its ’’opposite”- defined as • P=(a:,- 
y-h(x)). The points P and P are zeros of the function {u — x), which has a double 
pole at OO. Thus the divisor P+( P) — 2oo = 0 (mod F) or — P = P — 2oo (mod 
F). It follows that each element of J can be represented in the form 

r 

D = ^ Pi - roo, 

t=l 

with the following condition satisfied; If the point Pi = (ari, t/i) appears in D, then 
the point Pi does not appear as one of the Pj(j j^i). Such a divisor is called 
"semireduced”. 



Riemann— Roch said in [9] that each element of J can be uniquely represented 
by such a divisor, subject to the additional restriction that r < g. Such divisors are 
called ” reduced” . 

A semireduced divisor D = E rn,)oo can be uniquely represented as 

the gcd of two principal divisors of functions of the form a(u) and 6(u) - v (i.e., 
D=gcd {(a(u)),(h(u)-v ))) , where 

= n(w - 

and h(u) is the unique polynomial of degree< dega satisfying 

6 (x,) = y, 

with appropriate multiplicity when the point P, appears' more than once in D. Ex- 
plicitly, if Pi appears k timed in D, then b{u)^ + h{u)b{u) — /(u) must be divisible 
by a{u). 

A divisor D represented in the form gcd{a(u), (b(u)-v)) is abbreviated as D = 
div(a,6). D is’ reduced if and only if deg a < g. 

3.2.1 Group Law 

An element of our group J is an equivalence class of divisors. Every divisor is equiv- 
alent to a unique ’’reduced” divisor, by which we mean a semireduced D=div[a,b) 
for which deg a<g. 

Consider two divisors I)j=div(aj, and =div(a2,62) G J. Let O be the 
identity element of J. Then, addition is defined as follows; 

a. O -f- Di — Di and Di 0 = Dj . 

b. -O = O. 

c. If Dj ^ <9,then —Dj ={aj,—bi — h). 

d. If Ds=-Di, then Dj + Ds = 0 . 


31 



e. If D 2 0,D2 ^ 0,D2 — Z)7,then we find a divisor I)~ Dj + Dg through 

the algorithm stated below. 

As in any abelian group, the notation mD denotes D added to itself m times if m is 
positive, and —D added to itself [ m | times if m is negative, and OD = O. 

The algorithm for adding divisors De J consists of two stages. 

Given Dj =div(a;, bj) and Z}2=div(ag, 62), we first find a semireduced divisor 
D=div{a,b) such that D Dj + Dg. Next, we ’’reduce” Z?, i.e., we find a’(u) and 
b’(u) such that deg a' < g^deg b' <deg a’,and i)~div(a’,6’). 

First we describe Extended Euclidean algorithm which is needed in the composition 
rules. 

Extended Euclidean Algorithm : Given the polynomials and (whose 
gcd has to be found), define = 1 , = 0 and compute 

r^^\x) , {x) , by the iterative procedure 

r^^~'^\x) — a^^\x)r^^~^\x) + r^^\x)degA^'^ < degr^^~^^ 
pW(a;) = 

A\so,r^~^'>{x)p^^~^'>[x) — rG'®)(2:)g(*^--^) = [—lYr^^~^'>[x), for k= 0 , 1 , 2 ,.... The al- 
gorithm will eventually terminate with = d.Then 

q^^\x)r^^~^^x) = r^~^\x), 

r^^~^'^{x) = gcd{r^~'^\x),r^~^\x)) 

We wish to find the sum of div(ai, bj) and div(ag, 62) on the Jacobian of the 
curve + hv = /, where ai,a2,bi, b2, h, and / are all polynomials in u. (Here h 
and / have coefficients in K, and a^, ag, bj,b2 may have coefficients in an extension 
field of K). 

Stage 1 

Addition. Let d-d(u) be the gcd of the three polynomials a/(u),C2(u), and 


32 



6; (u) + ^>2 (u)+ h('u), and choose Sj(^u),S2{u), and Ss{u) to be polynomials in u 
such that 


d — Sj Q,j + 52 fflg + 53 (6^ + 62 d" h). 

For this the extended euclidean algorithm is to be used twice. 
Set 


a = aj as/d^ 


and 


b — (s; U; 62 + S20.2bi + 53(6^ 62 + f))l d (mod a). 

The correctness of the algorithm has been proved in [3]. 

Thus div(a,6) is semireduced and represents the divisor sum in the Jacobian. 
Special cases. 

1. If a; and 02 have no common factor, then d=l, we can take 53=0, and so 
a = aj a2,b = Siaib2 + S2a2bi (mod a). 

2. When 03 = 0.1 and 62 = b]{, i.e., we are doubling an element of J), we can 
take 52=0. Assume char K =2 and h('wj=l.Then d=l,5i = 53=0,53 =l,and 
a = af,b — bf +f (mod a). 

Stage 2 

Reduction : Given jD=div(a, 5 ) with deg a>g, the following procedure replaces D 
with an equivalent divisor D—div{a’,b) for which deg a’<deg a. By successively 
applying the procedure. we eventually obtain D”=div{a”,b”) for which D” and deg 
a < 9 - 
Wc set 

a> = {f-hb- h^)/a 

and then 

b' = —h — b (mod a’). 


33 



Remark. In the case ^l(elliptic curves), the reduced divisors I)=div(w = x, y) are 
in one-to-one correspondence with the points 6 C. The above algorithm then 
reduces to the usual formulas for the addition of points on an elliptic curve(see [17]). 
Examples: Let K=¥2 be the field of two elements. For P € C we let pb) denote 
P^^-, where is the automorphism of F 2 given by x ^ In certain cases there are 
simple formulas expressing 2^ Pm terms of Pb) which give a short-cut in computing 
multiples of D (]E^m,)cx 3 . The formulas below all follow by repeated 

application of Stage 1 (special case 2) and then Stage 2 of the algorithm. 

1. C is given hy + v — , g = 1, then 


2P = -p(2). 


2. C is given hy + v = + u + 1 , g = then 

4P = -pU). 

3. C is given hy + uv = 1 , g = I, then 

16P = P(^l - P(^). 


A 

4. C is given hy + v = , g = 2, then 

6iP = -Pb^). 

5. C is given hy v = v.^ g = 2, then 

8P = p(®). 

In the next chapter, we give a general method for reducing the calculation of mP 
for m large to the computation of linear combinations of Pb) with small coefScients. 


.34 



3.3 Security aspects of hyperelliptic curves 

In terms of hyperelliptic curves, the discrete logarithm problem is the following 
Definition: Let P ^ 3 over Fqhe an element of maximum order n^, and let R €J 
Given P and R, determine the unique integer /,0 < / < m - 1, such that R - IP 
provided that such an integer exists. 

In order to use the jacobians for cryptosystems, the discrete logarithm prob- 
lem should be intractable. As for the intractability of the discrete logarithm of 
the elliptic curve, it has been known that some specific elliptic discrete logarithms 
are as tractable as multiplicative discrete logarithms (MOV reduction attack see 
[27]). Thus it remained open whether these results about elliptic curves could be ex- 
tended to hyperelliptic curves. The hyperelliptic discrete logarithm is characterized 
as more intractable than the multiplicative discrete logarithm, see [24], A problem 
corresponding the hyperelliptic discrete logarithm is in NP n co-AM, while a prob- 
lem corresponding the multiplicative discrete logarithm is in NP n co-NP. However 
it remained open whether the problem corresponding to the hyperelliptic discrete 
logarithm is in NP n co-NP. 

Okamoto and Sakurai in [19] extended the above results of elliptic curves to 
derive similar results for hyperelliptic curves. 

The Weil pairing was originally defined over elliptic curves by A. Weil in [25]. 
Larig generalized the Weil pairing over the abelian varieties. Okamoto and Sakurai 
defined the extended Weil pairing on the Jacobian of the hyperelliptic curves, which 
is a specific class of Lang’s generalization. 

Definition: Let C be a hyperelliptic curve defined over K,and J be the jacobian on 
C {J = D^/P).Let J[m] be D°[m]/Pand lUm be the set of m-th roots of unity, where 
D®[m]=(D ] D GD°and mD — 0)and the characteristic of K is prime to m. 

Then, we deine a pairing (the extended Weil pairing) as a mapping 

Sm :J[m] ♦ J[m] ^ fJ-m- 

The algorithm for computing this pairing has been given in [19]. These results formed 
the basis of the reduction of the HDLP to the conventional multiplicative discrete 


35 



logarithms, which is an extension of the result by MOV. 


Frey and Ruck Reduction Attack : 

If the order of the Jacobian contains a prime factor of r decimal digits, then for se- 
curity purpose r should not divide - 1 for small values of k for which the discrete 
logarithm in is feasible. In general, 1 <k< 2000 /logsq suffices. 

The most powerful general algoiithm, for solving discrete logarithm problem, known 
at pr(\sent is the baby-step giant-step algorithm of Shanks [ 17]. Let (S' be a group 
of order n and consider the interval l(n) of integers from 0 to n-1. Let a and /S be 
t.wo inenilx'is of G, and .suppose we want to determine (if such exists), an integer x 
in I{n) sucii that The algorithm is as follows: 

Lt't //;=[ ]. Then pn'coinpute a list of pairs (Gn') for 0< i < m. Then for 
<'ach ./,()< 'j < ni. compute and see if this element is the second component 

of a ni('mb(‘r of the precomputed list. If da-jm = od for some ?, 0< i < m, then 
ij = ofherw'ise no .solution exists for x. 

This algorit hm naiuirc's a table with 0(m) entries. To sort the table and search it 
for (>ach vahu' of j n'ciuiix's in total 0(mlogm.) operations. A group of approximately 
10'“’ (‘lement.s would render this attack infeasible with current technology. Pohlig 
H<'llman method tak(‘H advantage of the factorization of the order n of the group. 

n = nL/ Pi' 

If then the approach is to determine x modulo pf' for each i, and then 

use the Chinese remainder theorem to compute x modulo n. This method fails if 
th(‘ ord('r n contain a prime factor of about 40 decimal digits. 

Therefore a hyperelliptic curve selected- for cryptosystem should have : 

1. A prime factor of about 40 decimal digits in the order of its Jacobian 

2. should not be mapped into an extension of finite field for small values of k 



3.4 Order of Jacobian 


We assume that K=Fg is a finite field with q elements.The abelian group 3{L) is 
finite for any finite extension L=Fjn.We set 

Nn = #(J(F,n)). 

Koblitz in [12] gave a method for computing the order through zeta faction. A basic 
fact about the //„ is that there is a simple method for determining the sequence 
Aj , As, ... by counting the number of F,n solutions of the equation of Cfot the first 
g values r?.=l,...,.9.Wc now describe this method. 

Let M„ = ^{C(Fgn)) — g", where i^{C(Fgn)) is the number of solutions u,v 
GF^t. of the equation + h{u)v = /(tt).Associated with the curve Cis a polynomial 
Z(T) of degree 2g with integer coefficients having the form 

Z{T) = + aiT^^~'^ + ...+ag.rT^+^ + agT^ 

+ qag.iT^-^ + + q^~\T + q^ 

= m{T-aj){T-aj)), ( 3 . 2 ) 

where a/,..., a, G Z and where by = q/oij (i.e., the roots are complex numbers of 
abvSolute value ).The relationship between Z(T) and M„ is the following power 
series identity (where 2(r) denotes the reciprocal polynomial T^^Z{1 /T)): 

iog(J(r)) = E~;^r". 

Thus the first g values M /, Mg are enough to determine the coefficients of Z(T). 
Once Z(T) has been found, i'/n can be determined from the formula 

A'n = n I 1 - (3.3) 

j=i 

where || denotes the usual complex absolute value.In particular, W = Z{1). 

We have. 

(gn/2 _ i)2s < < (g"/2 + 1)2^, 

i.e., Nn is asymptotically of magnitude g”®. 

.^7 



This result agrees with the Hasse theorem stated in [17] 

Hasse Theorem.:Lei he the order of an elliptic curve (g=l) group E{F) 

defined over a field Fg with q elements. Then 

Here the explicit formulas in the simplest cases g=l and g=2. 

= 1 : If a is a root of + M; T + g,then iV„ =| i - a" . 

Example: The equation E:y^=x^+x + 6 over the finite field Fn (the integers 
modulo 11) defines an elliptic curve. 

Here q = 11. n = 1 and fi:E{Fgn) = 12. Therefore Afj = 12 - 11 = 1. This gives 
Nj = 13 which includes the point at infinity. 

= 2: We first find the number of F, and solutions of + h{u)v=f{u), 
therhy (h'ternhning Af, and Ms. The coefficients ofZ(T)are given by Uj = Af^, = (Af/ 
Next, let p/ and p-> be the two roots of the quadratic equation + (as - 2q) 

= 0. Then for j= 1.2 is a root of the quadratic equation - yjX + q = 0. 
Finally.Fn =[ 1 - a'/ 1~| 1 - 1^. 

For cryptographic- purposes it is desirable for iV„ = #(J(F,n)) to be divisible by a 
large prinu- nuniber(about 30-40 decimal digits). The ideal case is for itself to 
be prinie.However, this rarely happens, because J(F^d) is a subgroup of J(F,n) for 
any divi.sor d of n, and so Nd \ Nn. 

Definition: We say that iV„ is almost prime if iV„ divided by the least common 
multiple of Nd {!< d < n,d \ n) is prime. In particular, for n prime we say that iV„ 
is ahno.st prime if Nn/Nj is prime. 

N'o now mssunu’ that n i.s prime. By (3.3), we have 

•V..AV. = ni(l-aP/(l-aiOp. (3.4) 

If the Oj are not all conjugates, i.e., if the polynomial Z(T) factors over the rationale, 
then even for n prime the value Nn/Nj in (3.4) has a corresponding factorization. 

Therefore, we have to look for an irreducible Z(T) for obtaining a large prime factor 
in the order of tlie jacobian. 



3.5 Cryptosystems 

As the HDLP is intractable, 'v\e can construct various public key cryptosystems in 
which taking large multiples of a group element is the trapdoor function. 

In the following subsections, we shall discuss the hyperelliptic curve analogs of 
some public kc}’ cryptosystems discussed earlier. 

3.5.1 Diffie-Hellman Scheme 

Suppose that two users A and B want to agree upon a secret key. Then the Diffie- 
Hellman key exchange [7] works as follows: 

Private keys: 

• tjia (the private key of user A) 

• rriB (the private key of user B) 

Public Information: 

• the finite fitdcl F,n 

• the equation of curve C 

• a fixed element Do €J{F^n) 

• m/iDo (the public key of user A) 

• tub Do (tke public key of user B) 

Each user A chooses a large integer Ma, which is kept secret, and computes and 
makes public tlie divisor When two users A and B wish to have a key for use 

in some other crypt o.'^y.stciu. they use the divisor €J(F 5 n). Here divisors 

are reduced to the form div{a,&) with deg h < deg a < g . Some standard way may 
be agreed upon, using the coefficients of a and b, to associate to div(a,6) an integer 
which serves as the key. 


39 



3.5.2 ElGamal Scheme 


Consider a hyperelliptic curve C defined over a field F,n with order of its Jacobian as 
#J(F,n). Let Do e J(F,n) be a fixed and publicly known divisor. Each user chooses 
an integer m. randomly, such that, 0 < m,- < #J(F,n) and makes the divisor m,Do 
public while keeping n;.,- secret. The working field and the equation of the curve are 
made i)ublic. 

Now we have t,o first- cmbedd the message onto some point of the curve before 
going to the act.ual scheme. 

Message Imbedding 

Here is one possible probabilistic method to imbed plaintexts as points on a curve C 
defined over F .Let k bt' a large enough integer so that we are satisfied with a failure 
probability of 1 out of 2^' when we attempt to imbed plaintext message units m; in 
practice /i“30 or at worst A“50 should suffice. We suppose that our message units 
rn are integers 0 < m < M. We also suppose that our finite field is chosen so that 
f/" > Mk. We write the integers from 1 to Mk in the form mk + j , where 1< j < k, 
and we set up 1-i eorresi)on(lene<> between such integers and a set of elements of F^n. 
For example, we write such an integer as an r- digit integer to the base q, and take 
the r digits, considered as elements of Z/qZ^ as the coefficients of a polynomial of 
degree r— 1 eornrponding to an element of F,n, i.e., the integer (a^-; , Or-s, oo), 
(■orresi)ou(h- to the polynomial which, considered modulo some degree— r 

irreducible polynomial over F, , gives an element of F,n. 

Thus, given m, for each 1. 2, ..,fcwe obtain an element xofF^n corresponding 
to rnk + j . 

Let C 1ms ec|uation + h(u)v — /(n), as before. Choose the coordinate u=x as 
de.scril)ed in the previous paragraph and attempt to solve + h{x)v = f{x) for v. 

Case 1. g is o<ld. Then tlie problem reduces to taking a square root in a finite field. 
There is apj)ro:<imat(‘ly a 50% chance that a solution v=y exists. If no solu- 
titm exists, then we choose another u=x as described earlier and repeat the 
procedure. 


an 



Case 2. q is even.Then h(x)^ 0, and the change of variables z=v/h(x) leads to the 
■ equation + z = a, where a = f{x)/h{x)^ . This equation has a solution 
z eFgn if = 0 and does not have a solution if this trace is 1. In the 

latter case, we must choose another u = x and start again. In the former case 
we can find z as follows; 

If g = 5 " is an odd power of 2, simply set 2; = 

For even n, first choose 7 such that T’rF^„/F27=l- Next, set dj = a + ^ 

for j = l, 2 ,...,n. Finally, take z = • 

Now that we have mapped the message to point {x,y) on the curve C, we can map 
it to the divisor Dm as usual. 

ElGamal Procedure 

Suppose user A has to send a message Dm to user €J(Fjn). A chooses a 

random integer such that 0< niA < and sends the following pair of 

points as the ciphertext to B. 

Cm = {rriADo, Dm + rriAimBDo)) 

Here msDo is the public key of B. 

To decrypt the message, B multiplies tuaDo with his secret key and finds the 
opposite of this divisor. He then adds this to the second divisor in the ciphertext 
pair to get the original message. 

Dm = Dm + mA(mBDo) + 

It is clear that there is a message expansion by a factor 2. For each message divisor, 
two divisors have to be sent as ciphertext. From the security point of view, same 
rriA should not be used for consecutive blocks of encryption. If tua is used for more 
than one block, knowledge of one block Dmj of the message enables an intruder to 
compute other blocks as follows. Let Ci and Cs be two consecutive cipher blocks 
for the messages Dm^ and Dm^- Using the same tua, 

Cl = {rnADo^Dmi +mA{mBDo)) 


41 



C 2 — {m^Do,Dm2 + ’fnAi'i^BDo)) 


Now, if Dmj is known, the common key rriAmBDo can be easily found, therby re- 
vealing the plaintext corresponding to C2 . 

A single curve C defined over a field F^n alogwith the base divisor Do can be shared 
by a group of people. The security of the system depends on the hyperelliptic curve 
discrete logarithm problem. 

3.6 Implementations over 

Curves over F^n are advantageous for the following reasons; 

• The arithmetic in F is easier to implement in computer hardware than the 
arithmetic in finite fields of characteristic greater than 2 . 

• When using a normal basis representation for the elements of F^n ,squaring 
a field element becomes a simple cyclic shift of the vector representation, and 
thus reduces the multiplication count in adding two points. 

3.6.1 Normal basis representation 

The field Fsm can be viewed as a vector space of dimension m over F2. That is, 
there exists a set of m elements ao,ai , ..., am-i in Fgm such that each a eFs^ can 
be written uniquely in the form 

a = where ai e { 0 ,J}. 

We can then represent a as the 0 — 1 vector (ao, gj, ..., ). In hardware, a 

field element is stored in a shift register of length m. Addition of field elements 
is performed by bitwise XOR— ing the vector representations, and takes one clock 
cycle. 

In general, there are many different bases of F^m over F2. A normal basis of 
Fgm over F2 is a basis of the form 


An 





where /? eF^m; it is well known [16] that such a basis always exists.Given any 
element a eF^m, we can write a = ciif3^\ where a,- G {0, 1 }. Since squaring 

is a linear operator in F gm ,we have 


a" = EITo' = ZTJo = {am-uao, 


with indices reduced modulo m. Hence a normal basis (NB) representation of F^m 
is advantageous because squaring a field element can then be accomplished by a 
simple rotation of the vector representation, an operation that is easily implemented 
in hardware; squaring an element also takes one clock cycle. 

Multiplication in a normal basis element representation is more complicated. Let 
the elements A,B, C of F^m in terms of NB be given as : 

m— 1 

A = 

2=1 

m~l 

B = 

2=1 

C = A.B 

m—l 

= 

2=1 

m— 1 m— 1 
2=1 j=l 

Let the cross product terms: 

m — 1 

€{ 0 , 1 } 

fc=l 

Substitution yields the following bilinear form for Ck'- 

m— 1 m—l 

Cfc = E E 

2=1 J =1 

m—l m—l 

= E E 

2=1 J=1 


where the subscripts of a and b are taken mod m. Thus we have 


4 .^ 



c„ = ^aB^-a = (aS/>) 

A. — (OQ) ^1) <^Tn— l) 

^ (^0 j ) •••) ^ m — 1 ) 

C — (cq, Cj, ..., CjTi—i) 

where is the transpose of B. The remaining coefficients of C can be found using 
the same matrix, but with A and B cyclically shifted. 

In terms of hardware implementation of the arithmetic operation of multiplica- 
tion the circuit to compute Cq also computes Ck if the registers holding A and B are 
cyclically shifted k positions to the left. Massey and Omura constructed a serial— in 
serial— out multiplier to exploit this particular aspect of normal bases. 

The complexity of such a circuit is determined by ,the number of non— zero 
terms x[p , since this quantity measures the number of interconnections between the 
registers containing A,B and C. Clearly, we have Cn < m^. A lower bound on CV 
is Cj^ > 2m — 1 [28]. If Ciq = 2m — 1 ,then the normal basis is said to be optimal. 
In [28] , constructions are given , together with a list of fields for which these bases 
exist. 

We see that the addition of divisors requires squaring of a polynomial in the given 
field. If the normal basis representation is used for the coefficients of the polynomial 
then the addition of divisors can be carried in an efficient manner. 

In this chapter we have made our acquaintance with the hyperelliptic cryptosys- 
tems. The requirements for a secure cryptographic system over hyperelliptic curves 
are discussed. The effectiveness of theory is shown through implementations de- 
scribed in the next chapter. 


44 



Chapter 4 


Results and Conclusion 

4.1 Introduction 

The calculation of modular products are an important part of software implemen- 
tations of many cryptographic protocols such as the well-known RSA public key 
algorithm. In these exponential cryptographic systems, there is a need for fast 
modular exponentiation, that is the calculation of 

C — M® mod n (4.1) 

where for acceptable levels of security C, M, e and n are multiprecision numbers. 
Similarly, the basic operation performed in a hyperelliptic cryptosystem is the com- 
putation of multiplicity, mH, of a divisor on the curve defined over a finite field. 
Multiplication and squaring in (4.1) is replaced by addition and doubling in our 
case. For a large n and m, the time complexity of elementary operations as well as 
the number of elementary operations are very high. Thus, reducing the number of 
such operations is important when implementing the above algorithms. 

Let us first consider the computation C — mod n. The conventionally used al- 
gorithm for this is the binary method, described by Knuth [10], The method is 
outlined below. 

G is finite group of order n. 

Input: a E G, I G Z 


45 



Output: Q-' 

1. Let I = Yll-g bj2\ bi € {0, l},bt = 1, be the binary representation of 1. 

2. Set 0 i — Oi. 

3. For i from t — 1 down to 0 do 


0 ^ 0.0 


If = 1 then 0 ■(— 0.a 

4. Output 0 

We see that the algorithm comprises of a sequence of squarings and multiplications, 
the total number of which depends on v(e), the number of I’s (hamming weight) 
in the binary representation of the exponent. In this method for each bit of the 
exponent except the first, squaring is done and if the bit is 1, then a multiplication 
is also done. 

In our case, algorithm for computing mD can be given as; 

Input; D G J,m € Z. 

Output: mD 

1. Let m = nL (7 bt2\bi E {0 , 1}, 6t=l, be the binary representation of m. 

2. Set D' 

3. For i from t — 1 down to 0 do 


D' ^D’ + D' 


If 6, = f then D' ^ D ^ D' 

4. Output D’ 


46 



As we know from our algorithm for addition of divisors, that doubling a divisor is 
cheaper(in terms of operations) as compared to' the addition of two distinct divisors, 
we can successfully apply the above method for the computation of mD. 

In practice, rather than using the pure repeated doubling method, in some cases 
it is more efficient to combine it with a procedure which replaces mD by a linear 
combination with small integer coefficients of the divisors (where a : x is 
the Frobenius automorphism of F^n ). This sometimes reduces the total number of 
additions of divisors that must be performed in order to compute mD. Koblitz in 
[12] described a procedure which in many cases simplifies the computation of large 
multiples of group elements. We now give the theorem stated by him. 

Let J be the Jacobian of genus g curve defined over F^. Suppose that no is large 
enough so that 

(1 + < 2 . 

Then there exists a ‘polynomial— time algorithm 'which for any m and n gives an 
expression for mD, D € J(F 5 n); in the form a^D'^^ in which the integers aj 
satisfy I |< g”®®. 

Our aim is to resolve mD into accordig to the constraints laid by 

Koblitz’s theorem. 

For this proceed in the following manner : 

Input : The polynomial Z(T) associated with the curve C, along with its complex 
conjugate roots, i.e. , 

Output : An integer no - 
Steps : 

Initially = 1. If the constant term of Z(T) is greater than the sum of the 
absolute values of all other coefficients then Stop else find no as given in (1). 

1. Find no such that 


A7 



(i + q-^of^yg < 2 


2. Find given as 

^n,(r) = n|=.(T-af)(r-a7”0 

3. Express I> e J as 

q'^osD ~ -(^„^(cr"o) _ g"05)Z), 

where Z{a) e Z[G] and (? = Gal(F^n/F,) = {a^}j&zinz. 

The results obtained on implementation of this algorithm have been discussed in 
the next section. 


4.2 Implementation 

The effectiveness of the various algorithms mentioned earlier has been shown by 
implementing them in SIMATH. 

SIMATH is a software package which facilitates computations using algebraic 
structures and number theory. It was developed in Germany. 

Besides other feature, it consists of a polynomial package for computation with 
polynomials in any number of unknowns over any of the structures contained in the 
arithmetic package. 

4.2.1 Construction of irreducible Z(T) 

In Chapter 3, Section 3.4, an algorithm for finding an irreducible polynomial Z(T) 
of degree 2g associated with the curve C was presented. Especially ^1, 2 cases 
were discussed. 

We have selected certain curves conforming to the equation of hyperelliptic curve 
(3.1) and found the polynomial Z(T) associated with them. Tables 4.1 and 4.2 
list the curve C along with the associated polynomial Z(T) for genus two and one 

48 




Equation of C 



Ml 

M 2 

Z(T) 

1. 

xp' V = -¥ 

4 

4 

2 

0 

+ 2T^ + 2T2 + 4r + 

2. 

-f- 'U = 4" + 1 

0 

4 

-2 

0 

- 2T^ + 2T^ -4T + 

3. 

+ V = vP + u 

2 

8 

0 

4 

+ 2r2 + 4 

4. 

+ uu = n? + 1 

3 

3 

1 

-1 

+ 2T + 4 

5. 

+ uv = + 1 

1 

3 

-1 

-1 

T^-T^ -2T + 4 


Table 4.1; Genus two curves 

over F 2 with irreducible Z(T). 

Equation of C 

*C{F,) 

Ml 

Z(T) 

1. v^ + v = u^ 

2 

0 

T^ + 2 

2. v'^ + v = + u 

4 

2 

T^ + 2T+2 

3. v^ + v = u^ + u + l 

0 

-2 

T^-2T + 2 

4. v'^ + uv = + 1 

1 

-1 

T2 - T + 2 

5. + uu = u® + 1 

3 

1 

T^ + T + 2 


Table 4.2: Genus one curves over F 2 with irreducible Z(T). 


respectively. Here we listed only those curves for which Z(T) was irreducible, i.e., it 
did not factorize over the rationals. 


4.2.2 Utilizing Koblitz’s algorithm for computing mD 

We tried to resolve mD into according to the algorithm given in previous 

section. 


49 






Equation of C 

no 


Expression 

1. + v — + u^ 

6 

+ 64)2 

64D = 

2, v^ + v = u^ + u^ + l 

6 

(7^12 + 64)2 

64D = 

3. + v = + u^ + u 

1 

+ 2T2 + 4 

8D = D^^^ 

4. + UV = + 1 

5 

(7^10 _ 27^5 ^ 32) 

2^°D = + 9D^^D 



.(7-10 _ 77^5 ^ 32) 

_78D(io) + 

5. + uv = + 1 

5 

(J.10 ^ 77^5 ^ 32) 

2{io)D = 



■{T^° + 2T^ + 32) 

-78D^^°'> - 288D^^'> 

6. + V = 

1 

r^ + 4 

4D = -D^^^ 

Table 4.3: Expressions for computing mD in case of genus two. 

Equation of C 


no Zr,,{T-o) 

Expression 

1. v'^ + v = 


1 r2 + 2 

2D = 

2. + V = + u 


1 

00 

16D = DW 

3. v‘^ + v — u^ + u + 1 

4 T® + 87^ + 16 

4D = -D^^'l 

4. + uv = + 1 


4 T’S _ 7^4 ^ 

16D = D^^^ - D^^'> 


Table 4.4: Expressions for computing mD in case of genus one. 


Tables 4.3 and 4.4 list the results obtained for genus two and one respectively. 
Now we reduce m (in case of mD) to a list of modulo 64 for the firstcurve of Table 
4.3. 


m = Y,j mj 0 < mj < 64, 

and 

mD = 

We now present the results which compare the time taken by pure doubling method 
and the method proposed by Koblitz for the computation of mD. 


50 










m 

Pure doubling method 

Proposed method 

26 

10 ms. 

8 ms. 

218 

40 ms. 

14 ms. 

to 

or 

120 ms. 

31 ms. 

266 

150 ms. 

36 ms. 

to 

170 ms. 

39 ms. 


Table 4.5; Average time for computation of mD on the stated curve 

We did the computations over F237. The irreducible modulo polynomial in spe- 
cial bit notation, the polynomials h(u), f(u) of curve C and the chosen divisor Do 
(comprising of polynomials a(u) and b(u)) in sparse representation are given below 
in the same order : 

(Consider a polynomial a„a;"’ -f ■+■ ... + ao defined over (1) Its special 

bit representation comprises of a list in which the first element denotes the degree 
of polynomial which is n in our case, and the remaining is the value of the polyno- 
mial obtained by replacing x by q. (2) Its sparse representation comprises of a list 
of the kind (n(a„) n- i(a„_i) ... 0{ao)) where the coefficients (a„ a„-j...ao) are 
represented in special bit notation.) 

(37 128 748589809) 

(0 (0 1 )) 

(5 (0 1) 3 (0 1)) 

( (1 (0 1) 0 (1 2)) (0 (34 28 959279377)) ) 

The timing details have been given in Table 4.5. If we employ the normal basis 
representation for the coefficients of the polynomials, we will be having 64D in 12 
cyclic shifts. 


CENTRAL LtSRARK 

1 IT. 


n 

order 

5 

13-61 

17 

13-1326700741 

23 

13-5415624023749 

29 

13-22170214192500421 

37 

13-1453030298001690873541 

41 

13-2953-125965976976392564317 

43 

13-5951631966296685834686149 

47 

13-5641-270097268484167653999069 

53 

13-207973-30007459254393181618012897 


Table 4.6; Almost prime values of #J(F 2 n) for C given hy -{■ v = 

4.2.3 Computing the order of the Jacobian 

For a secure cryptographic system, the order of the Jacobian should be divisible 
by a large prime factor. We now tabulate some results based on the algorithm for 
computing the order of the Jacobian given in Section 3.4. 

In the tables, the notation P(X) denotes a prime factor of X digits. 

Note, in Tables 4.6—4.12, iVj, i.e., #J(F 2 ) = Z(l). 

For a secure cryptographic system, a prime factor of around 30 digits is needed in 
the order of the Jacobian. In Tables 4.6—4.12 we see that genus one and two curves 
satisfy this requirement. The genus two curves give the same number of digits in 
the prime factor of the order of the Jacobian as genus one curves but with small 
extensions of GF(2) as compared to the latter. Therefore for genus two curves, 
computations have to be done for comparatively small fields. 


52 



n 

order 

5 

2-2-2-101 

7 

2-2-2-1471 

29 

2-2-2-59-610759905970679 

31 

2-2-2-373-1545462843139867 

47 

2-2-2-2475880306890745647875014951 

67 

2-2-2-2-13-17-19-648311249249076664071 794331476802317 

73 

2-2-2-3-31-17293-6933237701177583921705528248044961137 


Table 4.7: Almost prime values of #J(F 2 >») for C given hy uv = + 1 


n 

order 

5 

2-701 

7 

2-11173 

13 

2-33651853 

19 

2-137987565589 

29 

2-59-2442221041332503 

43 

2-38685599708692613136777013 

47 

2-1787-5541980638502137414220063 

59 

2-2-2-71549-580558425405424244185694400811 


Table 4.8: Almost prime values of #J(F 2 "-) for C given hy + uv — + 1 


53 


n 

order 

5 

1321 

7 

14449 

11 

4327489 

19 

275415303169 

23 

70334392823809 

31 

4611545283086450689 

53 

10177-7971862004867103303293462593 


Table 4.9: #J(F 2 n) for C given hy + v = + 1 


n 

order 

29 

5-107367629 

43 

5-1759217765581 

53 

5-1801439824104653 

89 

5-123794003928545064364330189 

107 

5-857-37866809061660057264219253397 

173 

5-13625405957.P(42) 

233 

5-3108221-P(63) 

239 

5-77852679293-P(61) 


Table 4.10: #J(F 2 ") for C given hy + v = + u 







n 

order 

47 

140737471578113 

73 

9444732965601851473921 

89 

1069-579017791994999956106149 

137 

189061-921525707911840587390617330886362701 

139 

557-1251163891299967635860272509229764287909 

239 

P(72) 


Table 4.11: #J(F 2 n) for C given by + v — u 1 


n 

order 

73 

2-877-5384682420498870703 

101 

2-1267650600228230886142808508011 

107 

2-81129638414606692182851032212511 

109 

2-324518553658426701487448656461467 


Table 4.12: 7 ^J(F 2 n) for C given hy + uv = ■+ + 1 


55 
















4.2.4 Implementation of ElGamal scheme 

The ElGamal scheme has been implemented in software. The software uses three 
files namely, pv,bLkey.elg,prw-key.elg,hyp-cur.elg. The file pubLkey.elg contains 
the public keys and privJzey.elg has the secret key of the user. The file hyp-cur.elg 
contains the parameters of the hyperelliptic curve over which the system works. At 
the start of the program, the curve parameters are read from this file. By changing 
the parameters in the curve, the system can be made to work with different set 
of curves. This makes the system very flexible. Shown below is a sample of the 
^\e hyp -cur.elg. Here we have taken a hyperelliptic curve defined over F237. The 
modulo polynomial, the curve equation given by h(u) and f(u), and the divisor Do 
comprising of a(u) and h(u) are given below in that order : 

(37 128 748589809 ) 

(0 (0 1 )) 

(5 (0 1 ) 3 (0 1 )) 

{ (1 {0 1 -) 0 (1 2 )) (0 (34 28 959279377 )) ) 

The software consists of the following modules : 

• Encryption 

• Decryption 

• Key Generation 

We took an arbitrary point on the curve and mapped it to a divisor. This constituted 
our message divisor. We then successively passed it through the encryption and 
decryption modules. Our aim is to recover back the original message divisor. 

Key Generation 

Any new user has to get registered before he can enter the system. The user chooses 
an USER— ID and enters a random number. This random number ser\7es as the users 
secret key k. The program now computes the public key k ■ Do for this user. The 
public key and the secret key are written in the files pubLkey.elg and pnv-key.elg 


56 



respectively. Given below is a sample session for key generation. 
The parameters of the working curve are : 
n=37 
genus=2 

the modulo polynomial is 

(37 128 748589809) 

h(u)= (0 (0 1)) 
f(u)= (5 (0 1) 3 (0 1)) 

Base divisor is ( (1 (0 1) 0 (1 2)) (0 (34 28 959279377)) ) 

press any key to continue 
Enter : 

T’ for encryption 
’2’ for decryption 
’3’ for key generation 
’4’ for listing valid ID’s 


< 3 > 

Please enter the USER— ID you require in alphanumeric < Neha > 

Enter a random number < ^J{Fp)] This is your secret key. . 

< 9494384751792551490964 > 

The public key ’k.D’ of Neha is 

((2(0 1) 1(34 20 592015758) 0(30 1 246137796)) (1(35 37 773824283) 0(36 67 
457521479))) 

Key generation successful!!! 
press any key to continue 

A sample of the file priv-key.elg is shown below ; 

#Neha 



9494384751792551490964 

#Ruchi 

'98786512345078123456789 

^Akash 

34567887654312344321122 

#Mayank 

45454556566767787889890 

We have applied Koblite's method for computing k.D. Therefore the private key of 
each user is first broken into a list of ascending powers of 64.The lists obtained are • 
#Neha : (20 22 31 20 24 37 5 37 14 4 43 0 2) 

#Ruchi : (21 36 21 2 45 20 16 44 1 41 51 58 20) 

#Akash : (34 49 7 23 50 16 17 20 15 55 30 20 7) 

#Mayank: (34 19 13 16 5 39 14 56 48 34 l 40 9) 

A sample of the file pubLkey.elg is shown below : 


#Neha 

((2(0 1) 1(34 20 592015758) 0(30 1 246137796)) (1(35 37 773824283) 0(36 67 
457521479))) 

#Ruchi 

((2(0 1) 1(36 76 229191970) 0(35 39 659078824)) (1(6 111 224047393) 0(36 123 
54102510))) 

#Akash 

((2(0 1) 1(34 16 453924485) 0(35 53 299556516)) (1(4 24 855898293) 0(34 23 
128317278))) 

#Mayank 

((2(0 1) 1(35 53 743168203) 0(36 101 21483127)) (1(5 32 163998377) 0(36 127 
546219480))) 


Now consider a sample session between Neha and Ruchi. Neha wants to com- 
municate to Ruchi. So she selects the latter’s public key and multiplies it with her 



own private key. To the common key generated, she now adds the message divisor 
and sends it to Ruchi. The latter sees the public key of Neha, multiplies it with her 
own private key and then computes the opposite of the generated common key. She 
now adds it to the received divisor to recover the message divisor, 
press any key to continue 
■Enter : 

T’ for encryption 
’2’ for decryption 
’3’ for key generation 
’4’ for listing valid ID’s 


< 1 > 

Enter your identity ; < Neha > 

ID check O.K. 

Enter receiver’s identity : < Ruchi > 

ID check O.K. 

ENCRYPTING!!! 

Encryption process successful. 

The group element sent to Ruchi is 

((2(0 1) 1(36 127 309624909) 0(36 78 722981934)) (1(35 48 729765714) 0(36 113 
747156001))) 

press any key to continue 
Enter : 

’1’ for encryption 
’2’ for decryption 


’3’ for key generation 



’4’ for listing valid ID’s 


< 2 > 

Enter your identity : < Ruchi > 

ID check O.K. 

DECRYPTING!!! 

Decryption process successful, 
press any key to continue 

<Type any key other than ’2’, ’3’, and ’4’ to exit> 

4.3 Conclusion 

In this thesis we looked into various aspects of implementing a hyperelliptic cryp- 
tosystem. We saw that the protocols implemented over hyperelliptic curves have 
the advantage of having small keys than the conventional systems defined over mul- 
tiplicative group of a finite field for the same level of security. 

We generated curves with large prime factor in the order of the Jacobian and 
discussed technique for efficient computation of multiplicity of a divisor. The effi- 
ciency of Koblitz’s method over the pure repeated doubling method in computing 
mD will be more if we employ normal basis representation for the coefficients of the 
polynomials. 

We paid special attention to fields with characteristic two. Similar results could 
be carried over to curves over prime fields, though the speed will be slow in this 
case. In our work, all computations have been shown for genus two case. As the 
genus increases, the computational complexity increases too. However, genus one 
and two curves can be efficiently used for the construction of secure cryptosystems. 

For the implementation of a full fledged hyperelliptic cryptosystem, all the ba- 
sic blocks have to be highly optimized, e.g., basic field arithmetic routines are, to 
be written in assembly language. Our implementation was optimized only at the 
algorithm level. 



Bibliography 


y ' Algebraic Geometry for Scientists and Engineers. AMSpubli- 
cations, 1984. 

2. E.R.Berlekamp. Algebraic coding theory. New York; McGraw Hill, 1968. 

Computing in the j acobian of an hyperelliptic curve” , Math. Comp , 
48, 95-101, 1987. 

4. J.S.Chahal. Topics in number theory. Plenum Press, 1986. 

H.Cohn A classical invitation to algebraic numbers and classfields. Springer- 
Verlag Universitext, 1978. 

6. D.E.Dennmg. Cryptography and data security. Addison- Wesley, 1982. 

7. W.Diffie and M.E.Hellman, ’’New directions in cryptography”, IEEE Trans, 
on Information Theory, Vol.IT-22, No.6, Nov. 1976, 644-654. 

T.Elgamal, A public key cryptosystem and a signature scheme based on dis- 
crete logarithms", IEEE Trans, on Information Theory, 31, 1985, 469-472. 

9. W.Fulton. Algebraic curves. Benjamin, New York, 1969. 

10. D.Knuth. The art of computer programming. Vol.2, Reading, MA; Addison- 
Wesley, 1981. 

11. N.Kobhtz, "Elliptic curve cryptosystems”, Math. Comp., 48, 1987, 203-209. 

12. N.Koblitz, Hyperelliptic Cryptosystems”, Journal of Cryptology, Vol.l, 1989, 
139-150. 

13. N.Koblitz. Introduction to elliptic curves and modular forms. Springer- Verlag, 
GTM No-97, 1984. 



14. M.D.Mandelbaum, On iterative arrays for the euclidean algorithm over finite 
fields”, IEEE Trans, on Computers, Vol-38, No.lO, Octl989. 

15. R.J.McEliece. Finite fields for computer scientists and engineers. Kluwer 
Academic Publications, 1992. 

16. A.Menezes. Applications of finite fields. Kluwer Academic Publications, 1994. 

17. A.Menezes. Elliptic curve public key cryptosystems. Kluwer Academic Publi- 
cations, 1994. 

18. A.M.Odlyzko, ’’Discrete logarithms and their cryptographic significance”, Ad- 
vances in cryptology: Proceedings of Eurucrypt’84, Springer- Verlag, New York, 
1985, 224-314. 

19. T.Okamoto, K.Sakurai, ’’Efficient algorithms for the construction of hyper- 
elliptic cryptosystems”, Advances in Cryptology-Crypto’91, LNCS, Vol.576, 
Springer Verlag, New York, 1991. 

20. T.Ono. An introduction to algebraic number theory. 1988. 

21. F.Oort. Reducible and multiple algebraic curves. Royal VanGorcum Ltd., 
Netherlands. 

22. R.Rivest, A. Shamir, L.Adleman, ”A method for obtaining digital signatures 
and public key cryptosystems”. Comm. ACM. 21, 2(Febl978), 120-126; reprinted 
in Comm. ACM.26, l(Janl983), 96-99. 

23. H.E-Rose. A course in number theory. Oxford University Press, 1994. 

24. H.Shizuya, T.Itoh, K.Sakurai, ”On the complexity of hyperelliptic discrete 
logarithm problem”. Advances in Cryptology- Eurocrypt’91, Springer Verlag, 
New York, 1991, 337-351. 

25 J.H. Silverman. The arithmetic of elliptic curves. Springer Verlag, GTM 106, 
New York, 1986. 



26. M.A.Tsfasman, S.G.Vladut. Algebraic-Geometric codes. Kluwer Academic 
Publications, 1991. 

27. S.A Vanstone, A.J.Menezes, T.Okamoto, "Reducing Elliptic curve logarithm 
to logarithms in a finite field”, Proc. of STOC’91, 1991, 80-89. 

28. R. Wilson, R.Mullin, I.Onyszchuk, and S. Vanstone, ’’Optimal Normal bases in 
GF(p^) ”, Discrete Applied Mathematics, 22(1988/89), 149-161. 




o»‘«s'Mt23209 

This book Is to ^pl^urned on the 
date last stamped. 



